Cyber Incident Victim: InterContinental Hotels Group PLC
Date:
Oct 2014
Location:
United States of America
Summary
InterContinental Hotels Group PLC was alerted by the U.S. Secret Service to a breach impacting multiple properties, with one confirmed incident involving a Holiday Inn Express & Suites location where a malicious email attachment compromised payment systems. The attack exposed names, addresses, payment card numbers, and expiration dates for 613 customers during an extended period before containment. While no evidence of data misuse was found, the company provided affected individuals with credit monitoring and fraud assistance services. The scope of the incident across other properties remained undisclosed at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
InterContinental Hotels Group (IHG) was notified by the U.S. Secret Service in early 2015 that certain properties within its network had experienced a data security breach. One confirmed affected location was the Holiday Inn Express & Suites in Sulphur, Louisiana, operated by Cities Service, which received direct notification from IHG on February 11, 2015. An investigation by Cities Service determined that a malicious email attachment had compromised their payment processing systems, enabling unauthorized access to customer payment card data. The breach exposure window spanned from October 13, 2014, until February 11, 2015, when containment measures were implemented. This incident impacted 613 customers, exposing personally identifiable information including full names, residential addresses, payment card numbers, and card expiration dates. Cities Service stated it found no evidence of actual misuse of the stolen data during its investigation. As a remedial action, the hotel operator offered affected individuals complimentary credit monitoring and identity fraud assistance services through IDT911, a third-party provider specializing in data breach response.
IHG, described as operating 4,800 hotels across nearly 100 countries with approximately 710,295 rooms, did not disclose the total number of properties impacted beyond the confirmed Louisiana location. The Secret Service's involvement indicated potential broader implications, though no other hotel-specific breach notifications were publicly documented at the time of reporting. Cities Service filed a formal breach notification with the New Hampshire Attorney General’s Office, consistent with regulatory requirements for incidents affecting residents across multiple states. IHG’s corporate website contained no visible reference to the breach or related security advisories as of the article’s publication date. The malicious email vector highlighted vulnerabilities in payment system infrastructure, with attackers maintaining persistent access for nearly four months before detection. Containment coincided precisely with the February 11 notification date, suggesting remediation efforts were initiated immediately upon confirmation.